Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL prior to 1.0.1t and 1.0.2 prior to 1.0.2h allows remote malicious users to cause a denial of service (heap memory corruption) via a large amount of data.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
openssl openssl 1.0.2a |
||
openssl openssl 1.0.2e |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.2g |
||
openssl openssl 1.0.2c |
||
openssl openssl 1.0.2 |
||
openssl openssl |
||
openssl openssl 1.0.2f |
||
openssl openssl 1.0.2d |
||
redhat enterprise linux desktop 7.0 |
||
redhat enterprise linux server aus 7.2 |
||
redhat enterprise linux workstation 7.0 |
||
redhat enterprise linux server 7.0 |
||
redhat enterprise linux hpc node 7.0 |
||
redhat enterprise linux server eus 7.2 |
||
redhat enterprise linux hpc node eus 7.2 |
||
redhat enterprise linux hpc node 6.0 |
||
redhat enterprise linux desktop 6.0 |
||
redhat enterprise linux server 6.0 |
||
redhat enterprise linux workstation 6.0 |
Two innocent programming blunders breed high-risk flaw
Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2. Last week, the open-source crypto-library project warned that a bunch of fixes were incoming, and true enough, Tuesday’s updates address serious flaws that should be installed as soon as possible. CVE-2016-2108 is a curious beast; a hybrid of two low-risk bugs that can be fused into a serious problem. The first is a seemingly innocuous issue with the ASN.1 parser whereby if a zero is re...
Vulmon